When Ajax Attacks! Web application security
fundamentals

Text-only Preview

When Ajax Attacks!Web application security fundamentalsSimon Willison, @media Ajax 2008I’m here to scare you• XSS• PDF• CSRF• XBL• UTF-7• HTC• crossdomain.xml • JSON and JSONPA few years ago...• Web application security tutorials tended to boil down to three things:• Don’t trust input from users• Avoid SQL injection attacks• Don’t let people inject JS in to your pagesA few years ago...• Web application security tutorials tended to boil down to three things:• Don’t trust input from users Boring!• Avoid SQL injection attacks• Don’t let people inject JS in to your pagesA few years ago...• Web application security tutorials tended to boil down to three things:• Don’t trust input from users Boring!• Avoid SQL injection attacks Boring!• Don’t let people inject JS in to your pagesA few years ago...• Web application security tutorials tended to boil down to three things:• Don’t trust input from users Boring!• Avoid SQL injection attacks Boring!• Don’t let people inject JS in to your pagesWay more interesting than it soundsXSS• Cross-site scripting• Attacker injects JavaScript code in to your site• Amazingly common• A single XSS hole on your domain compromises your security, entirelyAlex Russell:If you are subject to an XSS, the same domain policy already ensures that you’re f ’d. An XSS attack is the “root” or “ring 0” attack of the web.http://www.sitepen.com/blog/2007/01/07/when-vendors-attack-ﬁlm-at-11/Things I can do if you have an XSS hole• Steal your users’ cookies and log in as them• Show a fake phishing login page on your site• Point your existing login form at my password catching server-side script• Embed malware and drive-by downloads• Perform any action as if I was your user• (more on this one later)Two types of XSS• Reﬂected• I embed my JS in a link to your site and trick your user in to following it• Persistent• I get my XSS in to your site’s database somehow so it shows up on your pages